Setting an unlawful example: The BBC
Doing the opposite of their promise
BBC News has for a quite some time included embeds from at least Twitter, YouTube and Instagram on a notable amount of their articles.
The integrations are capturing your browsing habits on the pages they are included in for the commercial benefit of not just Twitter, YouTube and Instragram, but for the BBC too.
In reward for including the integrations, the BBC gains the audience analytics, capabilities to remarket on the social media platforms, righs to republish the intellectual property of these services and content features like video playback (this may not be all).
The BBC entered into commercial contracts to trade your personal data with these companies, but they broke these contracts too.
The third parties offer contracts that require that the BBC obtain consent from users before loading their embeds, consent must also be informed, with the user presented with details of what will be collected. They also require that the BBC ensures their terms of service is upheld in the usage of their integrations.
The BBC did not get consent... worse, the cookie banner on the site that gave the user the impression they were refusing consent was not integrated with the embeds at all, so when users refused data collection, it would happen anyway.
As a result, the BBC broke PECR, GDPR and they broke contract law leaving them liable for lawsuits (although I'd be surprised if the social media companies dare it given the complaints they face for their own practices).
Where it comes to kids though it is worse, as the BBC is not just obliged to follow the Age Appropriage Design Code, but the contractual terms of all integrations limit their usage by children. The terms of service either forbidding any use by under 13s or requiring parental consent and perhaps permission too.
There is a position with regard to data protection consent, that if your website is not intended for children ( like a credit card website ), then you are not obliged to go to the same lengths to protect children as they are not your intended audience.
The BBC is explicitly an all audiences service:
Therefore, apart from where it explicitly advises content is not for minors, the BBC must be appropriate for children under the age of 13 and to do that it must age gate the social media integrations that cannot be used by under 13s and ensure parental permission and consent requirements are met otherwise before loading them.
The leading British website
Rankings of top websites in the UK, list a few large US sites (Facebook, Google, Amazon or similar) and then the BBC.
BBC News ranks as the top website in the UK for news.
The BBC is supposed to be one of the most trusted organisations in the UK, answering not just to law, but to a Royal Charter that commits it:
As consumers
This popularity and trust in the the BBC sets a bar for what we expect in other websites, when it fails to present cookie consent properly, it leaves an impression that this is how it should be, because we trust the BBC.As workers at the BBC
Often staff working in leadership, data protection and web development will be moving on to new ventures, at other publishers online, perhaps in children's charities and they will be carrying with them the experience that it is okay to make websites this way. It is okay to share identifiable tracking data with advertising companies about what users are doing and ignore the contract terms that forbid the integration usage without obtaining consent.As UK organisations online
The BBC sets a bar that organisations don't have to be afraid to leap over, if the BBC can break the law, then why not us? Why risk the competitive cost of compliance, when unlawful behaviour is tolerated or likely rarely noticed due to the technical competence require to spot it. If the BBC doesn't care about kids privacy, then why should it matter to our organisation? This pattern of thoughts might not be so bad for organisations with similar risks to the BBC (other news and media organisations) where the BBC's popularity means the worst has likely already happened, but for those that have higher risk sensitive data (the children's organisations referenced in this site) it risks greater harms to the children than the BBC presents. We need the BBC to set an example for how we expect online organisations to behave, not misbehave.As kids
It is quite likely the BBC will be one of the first websites they use and given many (under 13) are not allowed to use most social media sites, the BBC may be the trigger point for the shadow profiles that are being created of their habits online.The Complaint
23rd December 2022
A complaint was raised with the DPO detailing how their Twitter integration was unlawful and a suggestion that other social media integrations are checked too.
The response
Apart from acknowledging receipt and that it is being reviewd (as evident in their last email), not much:
20th January 2023
18th April 2023
However, at some point between January and April their website has since changed and if you have not accepted cookies yet, then you should see consent boxes embedded in news articles where there are third party embeds.
This is better than the ICO! Who do not obtain consent before loading YouTube Privacy Enhanced Mode (note, the BBC loaded YouTube Privacy Enhanced Mode on this page previously).
But it is still not good enough as whether it is parental permission (reqiured by YouTube for under 18s) or banning under 13s, the BBC does not age gate these by advising children not to accept.
Twitter is explicitly not for under 13s, and including its embed on an all audience site is as bad for a 5 year old as a 14 year old being presented with a PornHub embed - whilst the content may not be explicit, just using the emebd without an age warning or gate presents the child with a recommendation to visit a site that is inappropriate.